b'              \xc2\xa0\n\n              \xc2\xa0\n\n              \xc2\xa0      U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n              \xc2\xa0      OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n              \xc2\xa0\n\n              \xc2\xa0\n\n\n\n                     Improvements Needed in\n                     EPA\xe2\x80\x99s Network Security\n                     Monitoring Program\n                     Report No. 12-P-0899               September 27, 2012\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                               Rudolph M. Brevard\n                                                   Cheryl Reid\n                                                   Vincent Campbell\n                                                   Neven Soliman\n                                                   Kyle Denning\n\n\n\n\nAbbreviations\n\nASSERT        Automated System Security Evaluation and Remediation Tracking\nCERT          Computer Emergency Response Team\nCSIRC         Computer Security Incident Response Capability Center\nCTS           Customer Technology Solutions\nEPA           U.S. Environmental Protection Agency\nISO           Information Security Officer\nIT            Information Technology\nNCC           National Computer Center\nNIST          National Institute of Standards and Technology\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nOTOP          Office of Technology Operations and Planning\nPOA&M         Plans of Actions and Milestones\nSIEM          Security Incident and Event Management\nSP            Special Publication\nTISS          Technology and Information Security Staff\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency                                                  12-P-0899\n                                                                                                      September 27, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\nWhy We Did This Review                Improvements Needed in EPA\xe2\x80\x99s\nThe U.S. Environmental                Network Security Monitoring Program\nProtection Agency (EPA) Office\nof Inspector General (OIG)             What We Found\nconducted this audit to\n(1) identify which tools EPA          EPA\xe2\x80\x99s deployment of a Security Incident and Event Management (SIEM) tool did\nuses to identify, analyze, and        not comply with EPA\xe2\x80\x99s system life cycle management procedures, which require\nresolve cyber-security                planning project activities to include resources needed, schedules, and structured\nincidents; (2) identify steps         training sessions. EPA did not develop a comprehensive deployment strategy for\nimplemented to resolve known          the SIEM tool to incorporate all of EPA\xe2\x80\x99s offices or a formal training program on\nweaknesses in its incidence           how to use the tool. When EPA staff are not able to use an information technology\nresponse capabilities; and            investment, the investment has limited value in meeting organizational goals and\n(3) evaluate how users report         users\xe2\x80\x99 needs.\nsecurity incidents.\n                                      EPA does not have a computer security log management policy consistent with\nContinually monitoring network        federal requirements. While EPA has a policy governing minimum system auditing\nthreats through intrusion             activities to be logged, EPA has yet to define a policy for audit log storage and\ndetection and prevention              disposal requirements along with log management roles and responsibilities. EPA\nsystems and other mechanisms          risks not having logged data available when needed, and program officials may\nis essential. Establishing clear      not implement needed security controls.\nprocedures for assessing the\ncurrent and potential business        EPA did not follow up with staff to confirm whether corrective actions were taken\nimpact of incidents is critical, as   to address known information security weaknesses. EPA had not taken steps to\nis implementing effective             address weaknesses identified from internal reviews as required. Known\nmethods of collecting,                vulnerabilities that remain unremediated could leave EPA\xe2\x80\x99s information and\nanalyzing, and reporting data.        assets exposed to unauthorized access.\nThis report addresses the\n                                       Recommendations and Planned Agency Corrective Actions\nfollowing EPA Goal or\nCross-Cutting Strategy:\n                                      We recommended that the Assistant Administrator for Environmental Information\n                                      develop and implement a strategy to incorporate EPA\xe2\x80\x99s headquarters program\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s\n                                      offices within the SIEM environment, develop and implement a formal training\n  Workforce and Capabilities\n                                      program for the SIEM tool, develop a policy or revise the Agency\xe2\x80\x99s Information\n                                      Security Policy to comply with audit logging requirements, and require that the\n                                      Senior Agency Information Security Officer be addressed on all Office of\n                                      Environmental Information security reports and reviews.\n\n                                      Office of Environmental Information officials concurred with and agreed to take\nFor further information, contact      corrective actions to address all recommendations.\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.      Noteworthy Achievements\nThe full report is at:                We found that EPA employees are aware of the reporting procedures for when\nwww.epa.gov/oig/reports/2012/\n                                      they experience an information security incident. Additionally, EPA has recently\n20120927-12-P-0899.pdf\n                                      deployed technical tools to combat cyber-security attacks and conduct forensic\n                                      analyses of security activity.\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n                                                                                    THE INSPECTOR GENERAL\n\n\n\n\n                                        September 27, 2012\n\nMEMORANDUM\n\nSUBJECT:               Improvements Needed in EPA\xe2\x80\x99s Network Security Monitoring Program\n                       Report No. 12-P-0899\n\n\nFROM:                  Arthur A. Elkins, Jr.\n\nTO:                    Malcolm D. Jackson\n                       Assistant Administrator for Environmental Information and\n                       Chief Information Officer\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective action plan for agreed-upon\nactions, including milestone dates. Recommendations marked unresolved due to a "TBD"\nplanned completion date require a milestone date. Your response will be posted on the OIG\xe2\x80\x99s\npublic website, along with our memorandum commenting on your response. Your response\nshould be provided as an Adobe PDF file that complies with the accessibility requirements of\nSection 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain\ndata that you do not want to be released to the public; if your response contains such data, you\nshould identify the data for redaction or removal. We have no objections to the further release of\nthis report to the public. We will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact Patricia Hill, Assistant\nInspector General, Office of Mission Systems, at (202) 566-0894 or hill.patricia@epa.gov; or\nRudolph M. Brevard, Director, Information Resources Management Assessments, at\n(202) 566-0893 or brevard.rudy@epa.gov.\n\x0cImprovements Needed in EPA\xe2\x80\x99s                                                                                                 12-P-0899\nNetwork Security Monitoring Program\n\n\n                                   Table of Contents\n Chapters\n   1     Introduction ........................................................................................................      1\n\n                 Purpose .......................................................................................................    1\n                 Background .................................................................................................       1\n                 Noteworthy Achievements ...........................................................................                2\n                 Scope and Methodology ..............................................................................               2\n\n   2   Security Incident and Event Management Tool Deployment\n       Lacks Key Activities ............................................................................................            4\n\n                 Headquarters Offices Need a SIEM Tool Implementation Strategy ............                                        4\n                 Training on SIEM Tool\xe2\x80\x99s Utilities Needs Improvements ..............................                               5\n                 Recommendations ......................................................................................            6\n                 Agency Comments and OIG Evaluation ......................................................                         6\n\n   3     Improvements Needed in EPA\xe2\x80\x99s Computer Security Log\n         Management Practices ......................................................................................                7\n\n                 EPA Policy Lacks Some Log Management Requirements..........................                                       7\n                 Log Management Infrastructure Lacks Approved Roles and\n                   Responsibilities ......................................................................................         8\n                 Recommendations ......................................................................................            8\n                 Agency Comments and OIG Evaluation ......................................................                         8\n\n   4     EPA Lacks an Oversight Process to Remediate Information\n         Security Weaknesses.........................................................................................               9\n\n                 EPA Did Not Address Recommendations From Internal Reviews ..............                                          9\n                 National Computer Center Does Not Follow Up on\n                   Internally Conducted Network Scans .....................................................                        11\n                 Recommendations ......................................................................................            12\n                 Agency Comments and OIG Evaluation ......................................................                         12\n\n   Status of Recommendations and Potential Monetary Benefits ..............................                                        13\n\n\n\nAppendices\n   A     EPA Monitoring Tools Reviewed ......................................................................                      14\n\n   B     Unaddressed Recommendations .....................................................................                         15\n\n   C     Agency Response to Draft Report ....................................................................                      21\n\n   D     Distribution .........................................................................................................    28\n\x0c                                   Chapter 1\n                                    Introduction\nPurpose\n            We sought to determine:\n\n               \xef\x82\xb7   What tools has the U.S. Environmental Protection Agency (EPA)\n                   implemented to increase its capability to promptly identify, analyze, and\n                   resolve cyber-security incidents against the Agency\xe2\x80\x99s network?\n               \xef\x82\xb7   What steps has EPA implemented to resolve known weaknesses in its\n                   incident response capability?\n               \xef\x82\xb7   Could EPA make improvements in how users report security incidents?\n\nBackground\n            A computer security incident is a violation or threat of a violation of computer\n            security policies or standard security practices. Computer security-related threats\n            have not only increased and become more diverse, but can cause more damage.\n            Preventive actions based on risk assessments can lower the number of incidents,\n            but not all incidents can be prevented. An incident response capability is needed\n            for the quick detection of incidents and to minimize loss and destruction of data,\n            mitigate the weaknesses that were exploited, and restore computing services.\n            Continual monitoring of threats through intrusion detection and prevention\n            systems and other mechanisms is essential. Establishing clear procedures to assess\n            current and potential business impacts of incidents is critical, as is putting in place\n            effective methods to collect, analyze, and report data.\n\n            The Assistant Administrator for Environmental Information, who is also EPA\xe2\x80\x99s\n            Chief Information Officer, is charged under the Federal Information Security\n            Management Act with providing leadership to ensure the security of EPA\xe2\x80\x99s\n            information technology (IT) resources. The Assistant Administrator for\n            Environmental Information designates a Senior Agency Information Security\n            Officer, who is responsible for managing Agency compliance with federal\n            information security requirements.\n\n            EPA\xe2\x80\x99s Office of Technology Operations and Planning (OTOP), within the Office\n            of Environmental Information (OEI), is responsible for the policy, management,\n            and implementation of EPA\xe2\x80\x99s IT infrastructure. Within OTOP, Technology and\n            Information Security Staff (TISS) are responsible for managing the operation of\n            EPA\xe2\x80\x99s IT security program. TISS is responsible for deploying and managing\n            EPA\xe2\x80\x99s Security Incident and Event Management (SIEM) tool. SIEM documents\n            show that EPA\xe2\x80\x99s information security staff can use the SIEM tool to (1) comply\n            with federally required log review and correlation activities, and (2) reduce the\n\n\n12-P-0899                                                                                        1\n\x0c            level of effort on administrative staff. TISS acquired a SIEM tool in May 2010.\n            TISS documentation indicates that the SIEM tool would be used to perform real-\n            time analysis of security alerts to help respond to security attacks faster and create\n            log security data and compliance reports.\n\n            During years 2010-2011, EPA invested over $4.1 million in several automated\n            tools to strengthen the security of the Agency\xe2\x80\x99s network infrastructure. OEI,\n            Region 7, and Region 8 information security personnel manage the tools we\n            reviewed. See Appendix A for additional details on these tools.\n\n            EPA uses the Automated System Security Evaluation and Remediation Tracking\n            (ASSERT) system to prepare Federal Information Security Management Act\n            reports. ASSERT provides systems owners and managers with an understanding\n            of the system\xe2\x80\x99s risks, security controls needed to address risks, and a plan of\n            actions and milestones to remediate risks.\n\nNoteworthy Achievements\n\n            We found that EPA employees are aware of reporting procedures for when they\n            experience an information security incident. OTOP deployed forensic and SIEM\n            tools to strengthen EPA network monitoring. OTOP staff indicated that the\n            forensic tool could be used to identify rogue executable files on EPA\n            workstations. TISS documentation indicated that the SIEM tool performs real-\n            time analysis of security alerts, and is available for EPA\xe2\x80\x99s information security\n            staff to perform audit logging.\n\nScope and Methodology\n\n            Our audit work commenced March 2011 and was completed in June 2012. We\n            conducted our audit work at EPA headquarters in Washington, DC; National\n            Computer Center, Research Triangle Park, North Carolina; Region 7 headquarters\n            in Kansas City, Kansas; and Region 8 headquarters in Denver, Colorado. We\n            conducted this audit in accordance with generally accepted government auditing\n            standards. Those standards require that we plan and perform the audit to obtain\n            sufficient, appropriate evidence to provide a reasonable basis for our findings and\n            conclusions based on our audit objectives. We believe that the evidence obtained\n            provides a reasonable basis for our findings and conclusions based on our audit\n            objectives.\n\n            We reviewed federal regulations and EPA policies and procedures. We collected\n            and reviewed purchase orders and contract agreements, but did not conduct any\n            tests to determine whether contractors complied with contract terms and\n            conditions. We interviewed EPA headquarters and regional information security\n            staff on technical tools used to monitor and analyze network traffic. We obtained\n            an understanding of each tool\xe2\x80\x99s use, purpose, cost, and function. We did random\n\n\n\n12-P-0899                                                                                        2\n\x0c            interviews of headquarters and regional staff to assess their knowledge for\n            reporting incidents.\n\n            We conducted follow-up on two prior EPA Office of Inspector General (OIG)\n            security audits on EPA\xe2\x80\x99s network security monitoring program.\n\n               \xef\x82\xb7   In EPA OIG Report No. 2005-P-00011 Security Configuration and\n                   Monitoring of EPA\xe2\x80\x99s Remote Access Methods Need Improvement, dated\n                   March 22, 2005, we recommended that OTOP develop and implement a\n                   security-monitoring program that includes testing all servers.\n\n               \xef\x82\xb7   In 2009, we followed up on the above report in EPA OIG Report No.\n                   09-P-0240, Project Delays Prevent EPA from Implementing an Agency-\n                   wide Information Security Vulnerability Management Program, dated\n                   September 21, 2009. We had sought to determine whether the Agency had\n                   implemented an Agency-wide network security monitoring program. We\n                   concluded that EPA still had not established an Agency-wide network\n                   security monitoring program because EPA did not take alternative action\n                   when the monitoring project experienced significant delays. Additionally,\n                   EPA offices did not regularly evaluate the effectiveness of actions taken to\n                   correct identified deficiencies as required by the Office of Management\n                   and Budget.\n\n\n\n\n12-P-0899                                                                                     3\n\x0c                                  Chapter 2\n       Security Incident and Event Management Tool\n             Deployment Lacks Key Activities\n            EPA\xe2\x80\x99s deployment of a SIEM tool did not comply with Agency requirements for\n            deploying IT investments. EPA\'s system life cycle management procedures\n            require planning project activities to include resources needed, schedules, and\n            structured training sessions. In particular, EPA had not taken steps to ensure the\n            successful implementation of the SIEM tool by putting in place processes to\n            manage the turnover of key personnel critical to the project\'s success, making sure\n            plans included all EPA offices, ensuring all responsible individuals have access to\n            management reports generated by the tool, maintaining communications with\n            EPA offices to ensure they were informed of the tool\'s deployment schedule, and\n            providing training so that offices could use the tool once it was implemented in\n            their respective offices. Without having such plans in place, EPA risks that the\n            SIEM tool would not provide effective network monitoring. When EPA staff are\n            not able to use an IT investment, that investment has limited value in meeting\n            organizational goals and users\xe2\x80\x99 needs.\n\nHeadquarters Offices Need a SIEM Tool Implementation Strategy\n      \xc2\xa0\n            TISS lacks a fully developed strategy to include EPA\xe2\x80\x99s headquarters program\n            offices within the SIEM\xe2\x80\x99s environment. TISS\xe2\x80\x99s documents showed a strategy that\n            included each of EPA\xe2\x80\x99s regional offices within the SIEM\xe2\x80\x99s environment.\n            However, efforts to include headquarters program offices fell short due to\n            turnover of technical staff and TISS having discontinued meetings with program\n            office staff on using the SIEM tool. As such, ten program offices do not have their\n            headquarters servers logged by the SIEM tool.\n\n            Although regional information security officers (ISOs) have access to review\n            daily log activity and receive daily log reports, ten headquarters ISOs do not have\n            access to the SIEM tool or receive the daily reports. Each program office manages\n            numerous assets connected to EPA\xe2\x80\x99s network, with some assets containing\n            sensitive information such as personally identifiable information.\xc2\xa0We interviewed\n            several headquarters ISOs who expressed interest in using the SIEM tool, but they\n            said barriers have hindered the use of the SIEM tool in their office. Specifically,\n            they cited a lack of (a) access to the tool, (b) demonstration of the tool\xe2\x80\x99s\n            capabilities, and (c) follow-up communication from TISS.\n\n            TISS management stated that bringing devices within the SIEM architecture is\n            based on a first-come, first-serve basis. TISS had not developed a strategy that\n            included a priority list based on EPA\xe2\x80\x99s mission-critical and business processes.\n\n\n\n12-P-0899                                                                                      4\n\x0c            Such an approach would have provided TISS a systematic approach for including\n            each program within the SIEM\xe2\x80\x99s architecture based on the level of risk.\n\n            With a majority of EPA\xe2\x80\x99s program offices not using the SIEM tool to monitor\n            security of their assets, the assessment of the security controls associated with log\n            reviews and event correlations may not be as efficient and effective compared to\n            those EPA offices using the SIEM\xe2\x80\x99s robust technology. Also, headquarters\n            program offices do not have access to an automated tool that could provide an\n            extra level of analysis to help with recognizing patterns and relationships within\n            data that may escape manual analyses.\n\n            TISS provided an updated project plan in February 2012. However, milestone\n            dates have not been finalized as to when headquarters program offices will be\n            incorporated within the SIEM architecture.\n\nTraining on SIEM Tool\xe2\x80\x99s Utilities Needs Improvements\n\n            TISS did not develop a structured training plan to use with the SIEM tool. EPA\xe2\x80\x99s\n            system life cycle management procedures require the development of a training\n            plan and user manual when training users of new IT investments. The training\n            plan should outline objectives, target audience, strategies, and curriculum.\n\n            TISS conducted informal training sessions with EPA\xe2\x80\x99s regional ISOs to address\n            questions on tool usage and how to generate reports. Those sessions did not include\n            written agendas or discussion topics. Regional ISOs said that the training sessions\n            needed more emphasis on how the SIEM tool could be used to perform detailed\n            security analyses. Further, headquarters ISOs were not aware of the training\n            sessions. TISS said the training sessions were stopped due to staff changes.\n\n            TISS also sends daily SIEM reports to EPA\xe2\x80\x99s ISOs for review and analysis.\n            However, EPA\xe2\x80\x99s ISOs stated the files were too large to perform detailed analyses\n            and were limited to spreadsheet queries. Some ISOs said they want to be able to\n            filter the log data by event type. The ISOs can create custom reports if they know\n            programming language. TISS had not created a user guide on how to generate\n            security reports, which the ISOs stated would be of immense value in obtaining\n            hands-on experience with the SIEM tool.\n\n            Without a structured training curriculum, users\xe2\x80\x99 needs are not being met and the\n            continued use of the SIEM tool by EPA\xe2\x80\x99s information security staff will be of\n            limited value in performing information security activities.\n\n\n\n\n12-P-0899                                                                                       5\n\x0cRecommendations\n            We recommend that the Assistant Administrator for Environmental Information:\n\n               1. Develop and implement a strategy with milestone dates to incorporate\n                  EPA\xe2\x80\x99s headquarters program offices within the SIEM environment. \xc2\xa0\n                   \xc2\xa0\n               2. Develop and implement a formal training program that will meet EPA\xe2\x80\x99s\n                  information security staff needs in using the SIEM tool. The training\n                  program should include a user guide on using the SIEM tool to generate\n                  reports and developing customized reports for filtering known and\n                  suspicious events.\xc2\xa0\n\nAgency Comments and OIG Evaluation\n            OEI officials concurred with and agreed to take corrective actions to address all\n            recommendations. We believe these corrective actions, when implemented, will\n            address the intent of our recommendations.\n\n            Appendix C contains the Agency\xe2\x80\x99s complete response to the report.\n\n\n\n\n12-P-0899                                                                                       6\n\x0c                                  Chapter 3\n           Improvements Needed in EPA\xe2\x80\x99s\n      Computer Security Log Management Practices\n            EPA does not have a computer security log management policy that complies\n            with federal requirements. While EPA has a policy governing minimum system\n            auditing activities to be logged, EPA has yet to define a policy for audit log\n            storage and disposal requirements. EPA recently implemented its SIEM tool.\n            However, the Agency has yet to finalize its guidance to govern the roles and\n            responsibilities for the log management infrastructure. The National Institute of\n            Standards and Technology (NIST) requires agencies to define mandatory\n            requirements for these activities. Without activity definitions, EPA risks logged\n            data not being available when needed for event analysis. Furthermore, without\n            clearly defined roles and responsibilities for the log management infrastructure,\n            EPA risks having program office officials responsible for securing their systems\n            not implement needed security controls for log management.\n\nEPA Policy Lacks Some Log Management Requirements\n            Three sites visited had audit logging procedures, but none of the sites had\n            consistent procedures. For example, one site\xe2\x80\x99s procedures did not include\n            requirements for proper log storage and disposal, while the other sites had\n            inconsistent storage and disposal procedures. NIST Special Publication (SP)\n            800-92, \xe2\x80\x9cGuide to Computer Security Log Management,\xe2\x80\x9d dated September 2006,\n            states that an organization should develop policies that clearly define mandatory\n            requirements for log management activities including log generation, log storage\n            and disposal, and log analysis.\n\n            EPA offices defined and implemented their own respective logging procedures\n            because the Agency\xe2\x80\x99s policy does not define mandatory audit logging\n            requirements. EPA issued an Interim Agency Information Security Policy in April\n            2012 to supersede its Agency Network Security Policy, however this policy still\n            does not address key log management elements such as proper log storage and\n            disposal. The lack of a clearly defined audit logging policy could lead additional\n            EPA offices to create inconsistent logging practices across the Agency, and may\n            jeopardize the availability of EPA\xe2\x80\x99s logging information when needed for\n            investigating suspicious activity that may not be monitored by the SIEM tool.\n\n\n\n\n12-P-0899                                                                                       7\n\x0cLog Management Infrastructure Lacks Approved Roles and\nResponsibilities\n            While EPA defined the roles and responsibilities for the SIEM infrastructure\n            within the draft \xe2\x80\x9cEnterprise Reference Guide\xe2\x80\x9d dated June 2011, the Agency has\n            yet to finalize these requirements. NIST SP 800-92 states that as part of the log\n            management planning process, an organization should define the roles and\n            responsibilities of individuals and teams expected to be involved in log\n            management.\n\n            We found that EPA had not developed a policy to define the roles and\n            responsibilities for log management. We believe that the lack of a policy to\n            reinforce how EPA would use the SIEM infrastructure to comply with the log\n            review requirements of NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for\n            Federal Information Systems,\xe2\x80\x9d contributed to the issues identified in chapter 2 of\n            this report. Furthermore, EPA intended the SIEM tool to be used to provide\n            information beyond what is required to meet basic NIST SP 800-53 log review\n            requirements. Without a clearly defined policy outlining respective roles within\n            the log management infrastructure, the SIEM tool may not meet its intended\n            purpose.\n\nRecommendations\n            We recommend that the Assistant Administrator for Environmental Information:\n\n               3. Develop a policy or revise the Agency\xe2\x80\x99s Information Security Policy to\n                  comply with NIST SP 800-92. This policy should include, but not be\n                  limited to, defining log storage and disposal requirements and roles and\n                  responsibilities for the log management infrastructure.\n\n               4. Finalize the SIEM tool\xe2\x80\x99s \xe2\x80\x9cEnterprise Reference Guide.\xe2\x80\x9d\xc2\xa0\xc2\xa0\n\nAgency Comments and OIG Evaluation\n            OEI officials concurred with and agreed to take corrective actions to address all\n            recommendations. We believe these corrective actions, when implemented, will\n            address the intent of our recommendations. OEI officials also listed \xe2\x80\x9cTBD\xe2\x80\x9d (to be\n            determined) for the planned completion date for recommendation 3. We list the\n            status of this recommendation as unresolved. In our transmittal memorandum, we\n            request OEI officials to provide milestone dates in the 90-day response.\n\n            Appendix C contains the Agency\xe2\x80\x99s complete response to the report.\n\n\n\n\n12-P-0899                                                                                        8\n\x0c                                   Chapter 4\n      EPA Lacks an Oversight Process to Remediate\n           Information Security Weaknesses\n            EPA did not follow up with staff to confirm that corrective actions were taken to\n            address known information security weaknesses. EPA had not addressed\n            weaknesses identified by internal reviews. Office of Management and Budget\n            Circular A-123, \xe2\x80\x9cManagement Accountability and Control,\xe2\x80\x9d states managers are\n            responsible for taking timely and effective actions to correct identified\n            deficiencies. OEI, which is responsible for securing EPA\xe2\x80\x99s network from internal\n            and external exploits, has not developed a process to verify that known\n            weaknesses have been addressed. As a result, known vulnerabilities remained\n            unremediated and key steps to resolve those weaknesses remain unaddressed,\n            which could leave EPA information exposed to unauthorized access.\n\nEPA Did Not Address Recommendations From Internal Reviews\n            From 2009 to 2010, three internal reviews were conducted on EPA\xe2\x80\x99s information\n            security program. EPA prepared an internal document titled \xe2\x80\x9cClampi Infection\n            Lessons Learned Document\xe2\x80\x9d that summarized EPA\xe2\x80\x99s response to a Trojan horse\n            infection. A Trojan horse is a computer program that is hiding a virus or other\n            potentially damaging program. A Trojan horse can be a program that purports to\n            do one action when, in fact, it is performing a malicious action on a computer.\n            Trojan horses can be included in software that is downloaded for free or as\n            attachments in email messages. EPA contracted with the Computer Emergency\n            Response Team (CERT) Program at the Carnegie Mellon University\xe2\x80\x99s Software\n            Engineering Institute and with Booz Allen Hamilton to conduct separate reviews\n            of EPA\xe2\x80\x99s information security program. We found proper points of contacts were\n            difficult to obtain and plans of actions and milestones (POA&Ms) were either not\n            created or were not created until our audit was underway. EPA\xe2\x80\x99s POA&Ms\n            procedures state that any IT security finding and recommendation from reviews,\n            audits, assessments, tests, or other sources (including but not limited to incidents),\n            must be analyzed and categorized as to the level of risk (high, medium, low) and a\n            determination made for appropriate action to be taken for the weaknesses\n            identified. Table 1 identifies the names of the reports and the number of\n            recommendations reviewed, not addressed, and without POA&Ms.\n\n\n\n\n12-P-0899                                                                                       9\n\x0cTable 1: Three internal reports reviewed with status of recommendations\n                                                                      No. of                   No. of\n                                           No. of report        recommendations          recommendations\n  Title of Agency internal review       recommendations           not addressed           without POA&Ms\n Clampi Infection Lessons                        53                         6                        7\n Learned\n Carnegie Mellon                                 31                       17                       31\n Booz Allen Hamilton                             19                        0                       19\n Totals                                         103                       23                       57\nSource: Clampi Infection Lessons Learned document, Carnegie Mellon report, and Booz Allen Hamilton report. OIG-\ngenerated.\n\n\n\n                 The Clampi Infection Lessons Learned document resulted from a Trojan horse\n                 infection that occurred within EPA in July 2009. Based on meetings with EPA, we\n                 found that there was no central point of contact responsible to ensure EPA staff\n                 addressed each recommendation. In some cases, EPA staff could not provide any\n                 evidence on how the issues and recommendations were addressed. We also found\n                 that some recommendations were not addressed and, in some cases, POA&Ms were\n                 created after we started fieldwork, or 2 years after the Clampi Infection occurred.\n                 \xc2\xa0\n                 The Carnegie Mellon report, issued in August 2009, appraised six areas within\n                 EPA\xe2\x80\x99s information security program using the CERT Resiliency Engineering\n                 Framework. We found that EPA\xe2\x80\x99s management had neither taken corrective\n                 actions nor created POA&Ms to address the findings. As a result of our findings,\n                 TISS developed a strategic plan covering fiscal years 2011 through 2016 to\n                 manage the report\xe2\x80\x99s findings. We found that the strategic plan addressed sections\n                 of the report except for issues on global strengths and weaknesses. We also found\n                 that POA&Ms were not created for other areas reviewed.\n\n                 The Booz Allen Hamilton document, issued in August 2010, identified\n                 procedural and operational deficiencies with EPA\xe2\x80\x99s incident handling capabilities\n                 when dealing with Advanced Persistent Threats. These threats are adversaries\n                 who can bypass virtually all of today\xe2\x80\x99s best practices and have the ability to\n                 establish and maintain a long-term presence on target networks. When we\n                 followed up on the issues, TISS developed a strategic plan to address the report\xe2\x80\x99s\n                 findings. Although the strategic plan did not include an authoritative corrective\n                 action plan, we considered the strategic plan a managerial approach to remediate\n                 known weaknesses. TISS had not created POA&Ms in EPA\xe2\x80\x99s ASSERT system to\n                 manage the document\xe2\x80\x99s findings and to ensure accountability is assigned.\n\n                 Appendix B identifies the documents\xe2\x80\x99 findings and recommendations that remain\n                 unaddressed.\n\n\n\n\n12-P-0899                                                                                                    10\n\x0cNational Computer Center Does Not Follow Up on Internally\nConducted Network Scans\n            OEI does not require system owners to provide a response on how they addressed\n            vulnerabilities identified during monthly network testing. Further, OEI does not\n            follow up with system owners to confirm that identified vulnerabilities have been\n            addressed. Office of Management and Budget\xe2\x80\x99s Circular A-123 requires managers\n            to take timely and effective action to correct deficiencies identified by a variety of\n            sources. The circular also states that correcting deficiencies is an integral part of\n            management accountability and must be considered a priority by the Agency.\n            National Computer Center (NCC) staff stated that it was not their responsibility to\n            ensure that the vulnerabilities are addressed. Therefore, there is no assurance that\n            identified vulnerabilities are being addressed or monitored, which could expose\n            EPA\xe2\x80\x99s network to security attacks.\n\n            In EPA OIG Report No. 2005-P-00011, Security Configuration and Monitoring of\n            EPA\xe2\x80\x99s Remote Access Methods Need Improvement, dated March 22, 2005, we\n            recommended that OTOP develop and implement a security-monitoring program\n            that includes testing all servers. Further, in EPA OIG Report No. 09-P-0240,\n            Project Delays Prevent EPA from Implementing an Agency-wide Information\n            Security Vulnerability Management Program, dated September 21, 2009, we\n            concluded that EPA still had not established an Agency-wide network security\n            monitoring program because EPA did not take alternative action when the\n            monitoring project experienced significant delays.\n\n            We looked at the NCC Foundstone tool during the conduct of this audit and found\n            that OEI\xe2\x80\x99s NCC staff conduct monthly vulnerability scans of EPA\xe2\x80\x99s network and\n            forward scan results to the appropriate contacts for action. However, NCC staff do\n            not follow up nor require system owners to respond so that NCC can confirm that\n            scan results have been addressed. NCC staff stated they provide the tools and the\n            support but regional and program office staff are responsible for taking action.\n            NCC staff does not rescan those servers at a later date to confirm vulnerabilities\n            were remediated. We made our initial recommendation in 2005 but an EPA-wide\n            vulnerability management and remediation process is still not in place. Therefore,\n            there is no assurance that EPA\xe2\x80\x99s information security staff is remediating\n            vulnerabilities in a timely manner, and such vulnerabilities could expose EPA\xe2\x80\x99s\n            assets to unauthorized access and potential harm to the network.\n\n\n\n\n12-P-0899                                                                                      11\n\x0cRecommendations\n            We recommend that the Assistant Administrator for Environmental Information:\n\n               5. Issue a memorandum to OEI officials requiring the Senior Agency\n                  Information Security Officer be the addressee on all internal security\n                  reports and reviews in order to ensure identified weaknesses are recorded\n                  within the Agency\xe2\x80\x99s security weakness tracking system.\n\n               6. Create POA&Ms for all recommendations applicable to Agency internal\n                  reports identified in Appendix B.\n\n               7. Develop and implement a process to verify that identified weaknesses in\n                  Appendix B are addressed and decisions are documented on actions taken.\n\n               8. Develop and implement a process to verify that regions and program\n                  office staff address vulnerabilities from NCC scans.\n\nAgency Comments and OIG Evaluation\n            OEI officials concurred with recommendations 6 through 8. Recommendation 5\n            originally required a written appointment of a central point of contact for tracking\n            the completion of weaknesses discovered during internal assessments. In its\n            response, OEI stated that the Agency\xe2\x80\x99s Senior Agency Information Security\n            Officer is appointed as the central Agency contact for tracking remediation action.\n            However, our audit work disclosed that the points of contact were difficult to\n            obtain and POA&Ms were not created. We modified our recommendation to state\n            that the Assistant Administrator for Environmental Information and Chief\n            Information Officer should direct his staff to provide reports on all security\n            reports and reviews to the Senior Agency Information Security Officer. The\n            Agency agreed to the modified recommendation. OEI officials concurred with\n            and agreed to take corrective actions to address all recommendations. We believe\n            these corrective actions, when implemented, will address the intent of our\n            recommendations. OEI officials also listed \xe2\x80\x9cTBD\xe2\x80\x9d (to be determined) for planned\n            completion dates for recommendations 5, 6, and 7. We list the status of these\n            recommendations as unresolved. In our transmittal memorandum, we request OEI\n            officials to provide milestone dates in the 90-day response.\n\n            Appendix C contains the Agency\xe2\x80\x99s complete response to the report.\n\n\n               \xc2\xa0\n\n\n\n\n12-P-0899                                                                                    12\n\x0c                               Status of Recommendations and\n                                 Potential Monetary Benefits\n\n                                                                                                                                POTENTIAL MONETARY\n                                                   RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                    Planned\n Rec.     Page                                                                                                     Completion   Claimed    Agreed-To\n No.       No.                           Subject                           Status1        Action Official             Date      Amount      Amount\n\n   1        6     Develop and implement a strategy with milestone            O       Assistant Administrator for    12/31/13\n                  dates to incorporate EPA\xe2\x80\x99s headquarters program                    Environmental Information\n                  offices within the SIEM environment.\n\n   2        6     Develop and implement a formal training program            O       Assistant Administrator for    12/31/12\n                  that will meet EPA\xe2\x80\x99s information security staff needs              Environmental Information\n                  in using the SIEM tool. The training program should\n                  include a user guide on using the SIEM tool to\n                  generate reports and developing customized reports\n                  for filtering known and suspicious events.\n\n   3        8     Develop a policy or revise the Agency\xe2\x80\x99s Information        U       Assistant Administrator for      TBD\n                  Security Policy to comply with NIST SP 800-92. This                Environmental Information\n                  policy should include, but not be limited to, defining\n                  log storage and disposal requirements and roles and\n                  responsibilities for the log management\n                  infrastructure.\n\n   4        8     Finalize the SIEM tool\xe2\x80\x99s \xe2\x80\x9cEnterprise Reference             O       Assistant Administrator for    3/29/13\n                  Guide.\xe2\x80\x9d                                                            Environmental Information\n\n   5       12     Issue a memorandum to OEI officials requiring the          U       Assistant Administrator for      TBD\n                  Senior Agency Information Officer be the addressee                 Environmental Information\n                  on all internal security reports and reviews in order\n                  to ensure identified weaknesses are recorded within\n                  the Agency\xe2\x80\x99s security weakness tracking system.\n\n   6       12     Create POA&Ms for all recommendations applicable t         U       Assistant Administrator for      TBD\n                  Agency internal reports identified in Appendix B.                  Environmental Information\n\n   7       12     Develop and implement a process to verify that             U       Assistant Administrator for      TBD\n                  identified weaknesses in Appendix B are addressed                  Environmental Information\n                  and decisions are documented on actions taken.\n\n   8       12     Develop and implement a process to verify that             O       Assistant Administrator for    2/15/13\n                  regions and program office staff address                           Environmental Information\n                  vulnerabilities from NCC scans.\n\n\n\n\nO = recommendation is open with agreed-to corrective actions pending\nC = recommendation is closed with all agreed-to actions completed\nU = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0899                                                                                                                                         13\n\x0c                                                                                      Appendix A\n\n                        EPA Monitoring Tools Reviewed\nOEI manages EPA\xe2\x80\x99s IT infrastructure, supports EPA\xe2\x80\x99s information systems and information\nproducts, and develops strategies for information security. OEI management provided the OIG\nwith a briefing on security tools used to secure the Agency\xe2\x80\x99s network infrastructure. The OIG\nalso contacted EPA\xe2\x80\x99s regional information security community to determine whether they were\nusing additional security tools to combat cyber-security events and monitor network traffic. The\nOIG learned that EPA regional offices in Kansas City, Kansas (Region 7), and Denver, Colorado\n(Region 8) were using log management tools to monitor network traffic. The OIG met with EPA\npersonnel who managed those security tools to obtain information on each tool\xe2\x80\x99s functionalities,\ncost, and usage.\n\nTable A-1 lists those security tools the OIG reviewed during this audit. The cost of each tool\nrepresents funds expended during fiscal years 2010 and 2011 to cover hardware and software\nrequirements, training needs, annual maintenance and licenses.\n\nTable A-1: Security tools managed by EPA offices/regions visited\n Office\\Region                          Functionality                                      Cost\n Office of Environmental Information/   Security incident and event management tool     $ 1,766,923\n Office of Technology Operations        eDiscovery and Forensic                             974,495\n and Planning\n                                        Virus protection software                           614,547\n                                        Patch management tool                               453,166\n                                        Netflow analyzer software                            20,989\n                                        Asset management tool                               268,802\n Region 7 (Kansas City Office)          Security audit log software                           1,665\n Region 8 (Denver Office)               Security incident and event management tool          42,032\n Total                                                                                 $ 4,142,619\nSource: OIG analysis.\n\nNCC personnel indicated that EPA\xe2\x80\x99s perimeter enforcement and web-filtering capabilities are\nmanaged through a U.S. General Services Administration services contract as part of a federal\n\xe2\x80\x9ccloud environment.\xe2\x80\x9d EPA indicated that associated cost for this managed service is\nadministered by the U.S. General Services Administration and costs specific to EPA could not be\nprovided.\n\n\n\n\n12-P-0899                                                                                        14\n\x0c                                                                                   Appendix B\n\n                   Unaddressed Recommendations\nDuring 2009 and 2010, EPA conducted three separate internal reviews of the Agency\xe2\x80\x99s\ninformation security program: (1) Clampi Infection Lessons Learned, (2) CERT at Carnegie\nMellon University Software Engineering Institute, and (3) Booz Allen Hamilton document for\nMitigation of Advanced Persistent Threats.\n\nOEI manages EPA\xe2\x80\x99s IT infrastructure, supporting the Agency\xe2\x80\x99s information systems and\ninformation products. OTOP also develops and implements IT policies, plans, and strategies for\ninformation security, investment management, and workforce training and development. TISS,\nwithin OTOP, is responsible for managing the Agency\xe2\x80\x99s IT security program; including IT\nsecurity planning, program management, evaluation of effectiveness, support to other programs,\nsupport for policy and procedure development, and communications. TISS manages, oversees,\nand communicates the Agency\xe2\x80\x99s IT security program by providing a framework, tools, priorities\nand overall direction for EPA employees and management.\n\nBackground information on each document and the recommendations that remain unaddressed\nbased on our audit work is detailed below.\n\nClampi Infection Lessons Learned\nOn July 10, 2009, EPA was infected with what appeared to be a Trojan horse virus. At 1:40 p.m.,\nan initial report was received from Region 5 indicating 15 systems were infected. Seven minutes\nlater, by 1:47 p.m., the infection was confirmed in Nevada, Virginia, North Carolina, Florida,\nand other locations across the nation. The infections were later identified as new variants of the\nClampi Trojan. With the help of several stakeholders who were involved during this event, EPA\ncreated a lessons learned document in response to this event titled \xe2\x80\x9cClampi Infection Lessons\nLearned\xe2\x80\x9d dated August 1, 2009. The document lists findings on what went well and areas of\nconcern during the response to this event. Recommendations were addressed to the Computer\nSecurity Incident Response Capability (CSIRC) Center, Enterprise Desktop Solutions Division,\nCustomer Technology Solutions (CTS), EPA Call Center, and the Senior Agency Information\nSecurity Officer.\n\n\n\n\n12-P-0899                                                                                      15\n\x0cTable B-1: Findings and corresponding recommendations not addressed\n                                                                                             Responsible office\n Finding(s) and applicable recommendation(s)                                                 for remediation\n An ancillary finding to temporarily blocking webmail was that users are circumventing       TISS\n security controls and utilizing personal webmail to send and receive email on behalf of\n EPA. For example, in one ticket a user complained that she was no longer able to\n view her EPA mail on her iPhone because yahoo mail was blocked. Aside from a\n potential infection vector, sensitive EPA data could be lost, viewed, or stolen, should a\n user\xe2\x80\x99s personal account be compromised or personal device lost.\n 1. Set policy disallowing the use of personal webmail to conduct business on behalf\n     of EPA.\n 2. Allow the viewing of personal webmail but filter the download of attachments.\n 3. If the fore-mentioned recommendations are operationally impossible, route third\n    party webmail traffic through the demilitarized zone where it can be monitored for\n    data leakage.\n While the infection was ongoing, CSIRC struggled to locate the correct individuals for      CSIRC\n information. For example, we were unable to find the right person to provide a report\n on CTS Anti-Virus definitions.\n 1. Get an org. chart quarterly from CTS and ISOs.\n Information briefly circulated indicating the Clampi Trojan was spreading via USB           Enterprise Desktop\n thumb drives. Although this was later proven false, the fact that EPA is vulnerable to      Solutions Division\n infection from flash drives is true.\n 1. Disable autorun and autoplay. 2.Force virus scans on removable media.\n EPA Call Center was overwhelmed with the influx of tickets. As the Clampi event             EPA Call Center\n wound to a close, CSIRC discovered events reported by CTS to the EPA Call Center\n that were never entered into Remedy by Apptis.\n 1. With two separate Remedy systems maintained and owned by separate vendors,\n    confusion and duplicate tickets are a weekly occurrence.\n 2. We recommend automation between the systems or converging the two into one.\n                                                                                             Senior Agency\n Several Regions/Program Offices were not represented on the emergency calls.                Information Security\n 1. When a region/PO is unaccounted for during a national call, involve the IRM              Officer\n    Branch Chiefs. ISOs stated they had no insight or influence over the CTS systems\n    under their area of responsibility. Local site ISOs expressed displeasure that CTS\n    didn\xe2\x80\x99t communicate with them.\n 2. Local ISOs need insight into all assets at their site. We recommend a dashboard\n    for use by local ISOs with rollup to Primary ISOs for insight into their area of\n    responsibility.\n 3. The ISOs role in security events needs to be more clearly defined. There is some\n    confusion about CTS/CSIRC communicating directly with each other versus the\n    ISO. ISOs without Blackberries did not find out about the Clampi infection until the\n    next Monday.\n 4. Issue Blackberries to all ISOs. ISOs relying on contractor support ran into a\n    problem where contractors were not approved to work overtime.\n 5. Set aside funding for emergency operations. ISOs complained the NSA toolkit was\n    not useful and was introduced at the wrong time.\n 6. Continue the phased implementation and encourage ISOs to become familiar with\n    the toolkit and its use.\nSource: Clampi Infection Lessons Learned Document.\n\n\n\n\n12-P-0899                                                                                                           16\n\x0cCarnegie Mellon Report\nEPA entered into an engagement with the CERT Program at Carnegie Mellon University\nSoftware Engineering Institute to perform an appraisal of EPA\xe2\x80\x99s information security program\nbased on CERT Resiliency Engineering Framework. Carnegie Mellon\xe2\x80\x99s report, CERT Resiliency\nEngineering Framework, Environmental Protection Agency, August 2009, identified several\nareas of improvements in EPA\xe2\x80\x99s incident response and handling program. Recommendations in\nChapter 4 apply to the EPA\xe2\x80\x99s information security program as a whole.\n\nTable B-2: Findings and corresponding recommendations not addressed\n                                                                                             Responsible office\n Finding/recommendation                                                                      for remediation\n                         Chapter 4 Appraisal Findings: Global Strengths and Weaknesses\n 1.   There is a dependence on heroic actions by individuals.                                OTOP\n 2.   Governance for information security activities is generally missing; however,\n      Technology Management activities are receiving some governance from the\n      Quality and Information Council/Quality Technology Subcommittee.\n 3.   There is a focus on tools as opposed to (and sometimes in conflict with) a focus\n      on sound process and procedures.\n 4.   Information security program activities tend to be reactively evolved rather than\n      proactively planned.\n 5.   The information security program is largely compliance-focused as opposed to\n      requirements\' driven.\n 6.   Information security metrics activities are lacking.\n 7.   People are accepting information security risks on behalf of the Agency who may\n      not have the authority, necessary understanding or willingness to do so.\n 8.   There is a heavy reliance on contractors to perform critical functions in support of\n      the Agency information security program without clear measures in place to\n      ensure that program knowledge is sustainable.\n 9.   There is a lack of awareness and appreciation of information security activities in\n      support of the Agency\'s business and mission.\n 10. Manipulation of self-reported data has made internal and external compliance\n     reports unreliable indicators of the Agency\'s information security posture.\n 11. Agency management\'s focus on generating favorable internal and external\n     reports has resulted in coaching respondents to adjust self-reported data to the\n     detriment of the Agency\'s information security posture.\n 12. Quality and validity of self-reported data is questionable and makes the\n     enforcement and validation process difficult.\n 13. Data calls to support compliance are numerous and often redundant.\n 14. IT security money is allocated across Agency to support IT security\n     responsibilities.\n 15. Key information security roles (for example ISO, PO, lRO, ISSO, IMO, SA, and\n     System owner) and their associated responsibilities are not well-defined, well-\n     understood commonly captured in position descriptions, or well-aligned with\n     training program.\n 16. Agency management support for a consistent and repeatable information security\n     program and process is lacking - current focus is reactive and compliance-driven.\n 17. Enforcement actions related to information security are not enacted by Agency\n     management.\n\n\n\n\n12-P-0899                                                                                                         17\n\x0c                                                                                         Responsible office\n Finding/recommendation                                                                  for remediation\n\n             Chapter 7 Appraisal Findings: Incident Management and Control (IMC) Capability area\n 1.   EPA seemed unclear on the processes that were to be followed relative to closing   TISS\n      incidents including any lessons learned.\n 2.   There was not sufficient evidence to suggest that lessons learned were being\n      translated into actions to better protect Agency assets.\n 3.   There is no consistent or formalized process to identify recurring problems;\n      examine root causes; or develop solutions for these problems with the goal of\n      preventing future, similar incidents.\n                     Chapter 14 Recommendations: Prioritize and Address Capability Gaps\n 1.   Establish the internal procedures for incident management and control.             TISS\n 2.   Establish procedures and criteria for the regular performance of post-incident\n      reviews.\n 3.   Establish a link between the incident management and control process and the\n      problems management process.\n 4.   Establish a process to improve asset protection and continuity strategies in\n      response to lesson learned from managing incidents.\n 5.   Establish governance over the planning and performance of the incident\n      management and control process.\n 6.   Establish and maintain the plan for performing the incident management and\n      control process.\n 7.   Evaluate the sufficiency of incident management and control resources, and\n      request resource changes as necessary.\n 8.   Formally assign responsibility and authority for performing the incident\n      management and control process.\n 9.   Improve monitoring of the incident management and control process.\n 10. Use appraisals or audits to objectively evaluate the adherence of the incident\n     management and control activities to the process description, standards, and\n     procedures.\nSource: Carnegie Mellon report.\n\n\n\n\n12-P-0899                                                                                                     18\n\x0cBooz Allen Hamilton -Document\nIn August 2010, Booz Allen Hamilton was tasked to identify immediate and/or stop gap\nmeasures to protect EPA systems and data. Booz Allen Hamilton issued a document on\nNovember 5, 2010, on EPA\xe2\x80\x99s ability to mitigate Advanced Persistent Threats. Booz Allen\nHamilton concluded that EPA had procedural and operational weaknesses preventing EPA from\nsuccessfully mitigating Advanced Persistent Threats. Procedural weaknesses included areas such\nas governance, policy, procedures and oversight. Operational weaknesses included\nrecommendations for implementing a risk mitigation program, sharing of forensic images by\nOIG, expanding CSIRC\xe2\x80\x99s mission and capabilities to address Advanced Persistent Threats across\nthe enterprise, and obtaining/installing an enterprise event log aggregation/correlation tool.\nTable B-3: Findings and corresponding recommendations not addressed\n                                                                                             Responsible office\n Finding/recommendation                                                                      for remediation\n                                                Procedural Findings\n Ongoing senior management buy-in and support for the IT security program is                 TISS\n essential\n 1. Identify senior management level of risk tolerance for IT Information Management         Senior Agency\n     assets.                                                                                 Information Security\n                                                                                             Officer\n Strong governance around the IT security program is essential\n 2. Develop a formal agency governance program to oversee all IT security actions.\n\n IT security policies and procedures must be updated and current systems security\n verified\n 3. Perform an immediate review of all EPA IT security policies and procedures.\n 4. Based on senior management\xe2\x80\x99s risk tolerance, prioritize IT Information\n       Management assets and validate security documentation.\n EPA is facing a challenge in its IT security environment that requires it to become\n more proactive in its actions, rather than reactive. Attackers will always be looking for\n the next gap.\n 5. Plan an Agency-wide cyber security program to identify and prioritize risks that\n      impact the IT security program and design a risk management program across\n      the offices and regions.\n 6. Include formal assessment and testing requirements in IT Information\n      Management procurements to minimize introduction of new vulnerabilities and\n      threats.\n EPA should consider innovative ways to improve IT security situational awareness.\n 7. Design a security awareness program that will more effectively drive the message\n    to users.\n In accordance with NIST SP 800-39, EPA must adopt automated tools to achieve\n continuous monitoring for threats.\n 8. EPA needs to embrace a broader risk management perspective.\n EPA needs clear standards for training, roles, and responsibilities for IT Information\n Management security personnel.\n 9. Design a security awareness program that will more effectively drive the message\n     to users. Consider the \xe2\x80\x9cthink before you click\xe2\x80\x9d campaign concept.\n 10. Identify those who are most likely to be targeted based on position and access to\n     information. Use available intelligence to identify what information is being\n     targeted. Develop a security awareness program that is aimed specifically to this\n     audience to promote their sensitization and awareness of accountability.\n\n\n\n\n12-P-0899                                                                                                           19\n\x0c                                                                                               Responsible office\n Finding/recommendation                                                                        for remediation\n Actions by law enforcement or intelligence could act as a constraint to Incident              TISS\n Response actions, negatively impacting security or services.\n 11. Identify law enforcement and intelligence activity as a risk and engage in planning       Senior Agency\n      to determine a mitigation plan. Engage law enforcement and intelligence agencies         Information Security\n      in the mitigation planning.                                                              Officer\n                                                Operational Findings\n EPA does not have a risk mitigation program.                                                  TISS\n 1. Deployment of specialized incident response tools as one element of the Proactive\n    Threat Identification program.\n 2. Centralize efforts to identify all assets currently within the EPA enterprise and verify\n    each has appropriate accreditation.\n 3. Designate personnel with the specific responsibility to identify and interact with\n    those sources most likely to provide EPA with relevant data in the fastest time\n    possible.\n EPA\xe2\x80\x99s best practices to secure against IT threats are known. Mitigation, not\n elimination, can be achieved through the IT security program.\n 4. Focus the IT security program on detection, containment and eradication of threats.\n EPA is highly vulnerable to targeted/spear-phishing email.\n 5. EPA should consider a risk assessment related to information positioned in the\n    public environment and assess the effects of the release, including the potential of\n    creating targets for attackers within the Agency.\n CSIRC cannot readily determine as a compromised system is identified whether it\n belongs to a VIP or Senior Executive Staff.\n 6. Assess all users and identify those accounts most frequently in possession of, in\n    communication with, that information EPA can\xe2\x80\x99t afford to lose.\n The EPA CSIRC program has been effective within its original function but is not\n capable of dealing with highly sophisticated Advanced Persistent Threat.\n 7. Expand CSIRC\xe2\x80\x99s mission and capabilities to address Advanced Persistent Threats\n    across the enterprise. Obtain and install an enterprise event log aggregation/\n    correlation tool.\n Due to delegation of roles, all forensic images have been obtained by OIG and                 TISS\n analysis/reporting is maintained close-hold.\n 8. The OIG should be encouraged to share that information that will improve security\n    and not impact ongoing investigations. If copies of their images are not made\n    available, the Agency should perform its own acquisition and forensic examination.\nSource: Booz Allen Hamilton report.\n\n\n\n\n12-P-0899                                                                                                             20\n\x0c                                                                               Appendix C\n\n                 Agency Response to Draft Report\n\n\n                                         9/06/2012\n\nMEMORANDUM\n\nSUBJECT:      OEI\xe2\x80\x99s Response to OIG\xe2\x80\x99s Draft Report \xe2\x80\x93 Improvements Needed in\n              EPA\xe2\x80\x99s Network Security Monitoring Program (OMS-FY11-0005)\n\nFROM:         Malcolm D. Jackson\n              Assistant Administrator and Chief Information Officer\n\nTO:           Rudolph M. Brevard\n              Director, Information Resources Management Assessments\n\nIn response to the draft Audit Report, \xe2\x80\x9cImprovements Needed in EPA\xe2\x80\x99s Network Security\nMonitoring Program\xe2\x80\x9d (OMS-FY11-0005), the Office of Environmental Information is pleased to\nprovide you with our response to the OIG recommendations found in the report.\n\nIf you have any questions, please contact OEI Audit Follow-Up Coordinator, Scott Dockum at\n202-566-1914.\n\nAttachment\n\n\ncc:    James McDonald\n       Robbie Young\n       Scott Dockum\n       Elizabeth Braziel\n\n\n\n\n12-P-0899                                                                                    21\n\x0c                                         Office of Environmental Information / OTOP\n                                                    Corrective Action Plan\n\nAuditing Group: OIG                                     Audit Title: Improvements Needed in EPA\xe2\x80\x99s Network Security Monitoring Program\nAudit No.: OMS-FY11-0005\nReport Date: August 7, 2012                      OEI Leads and Phone: OTOP - Anne Mangiafico 202-564-9483; SAISO \xe2\x80\x93 Robert McKinney\nOEI Lead Offices: OTOP & SAISO                   (202) 564-0921\n\n\n\n   Recommendation          Corrective Action       Planned         Status             POC for            Comments           Concur\n                                                  Completion                      Recommendation                            Yes/No\n                                                     Date\n1: Develop and            TISS will refine the     12/31/13  In Progress -        OTOP/TISS Lee       There are multiple      Yes\nimplement a strategy      project plan to reflect            Implementing         Kelly               Program Offices\nwith milestone dates to   a thorough strategy for            Program Office                           already in\nincorporate EPA\xe2\x80\x99s         incorporating Program              devices into                             ArcSight. Along\nheadquarters program      Offices into the SIEM              ArcSight is                              with the Regional\noffices within the SIEM   environment. This                  currently                                offices, other\nenvironment.              strategy will include              underway as part                         Program Offices\n                          milestone dates for all            of the overall                           are in various\n                          Program Offices not                strategy. A                              stages (Initial\n                          already in SIEM.                   project plan                             contact;\n                                                             exists that lists                        Information\n                                                             each Program                             Gathering;\n                                                             Office.                                  Testing; etc.)\n                                                                                                      regarding\n                                                                                                      implementation.\n2: Develop and            TISS will further          12/31/12   In Progress \xe2\x80\x93 A   OTOP/TISS Lee       Training on             Yes\nimplement a formal        codify the training                   user guide has    Kelly               ArcSight is\ntraining program that     program for ArcSight                  been developed                        accomplished in\nwill meet EPA\xe2\x80\x99s           by documenting                        and made                              various methods.\ninformation security      evidence of training                  available to                          (1) Upon being\n\n\n     12-P-0899                                                                                                                 22\n\x0cstaff needs in using the    for users and          users. Efforts      granted access to\nSIEM tool. The training     formalizing training   moving forward      ArcSight a one-on-\nprogram should include      requirements for       will focus on       one session is\na user guide on using the   ArcSight access.       refining the user   scheduled with the\nSIEM tool to generate                              guide and           user to go over the\nreports and developing                             formalizing the     interface,\ncustomized reports for                             training            basic/advanced\nfiltering known and                                program.            searches, reports\nsuspicious events.                                                     (default and\n                                                                       custom) and\n                                                                       queries among\n                                                                       other items. This\n                                                                       session usually\n                                                                       lasts between 60-\n                                                                       90 minutes; (2)\n                                                                       Hewlett Packard\n                                                                       (ArcSight\n                                                                       manufacturer) also\n                                                                       provides training\n                                                                       courses on\n                                                                       ArcSight on a fee-\n                                                                       based schedule\n                                                                       available from\n                                                                       their website. (3)\n                                                                       At the bi-weekly\n                                                                       ArcSight user\n                                                                       group meeting\n                                                                       demonstrations are\n                                                                       held on how to\n                                                                       perform certain\n                                                                       functions and the\n                                                                       users have an\n                                                                       opportunity to ask\n\n\n\n     12-P-0899                                                                               23\n\x0c                                                                                            questions on that\n                                                                                            topic. A user guide\n                                                                                            that includes\n                                                                                            chapters on reports\n                                                                                            and searches has\n                                                                                            been posted to the\n                                                                                            EPA SIEM\n                                                                                            collaboration page.\n                                                                                            This information\n                                                                                            was announced at\n                                                                                            the last user group\n                                                                                            meeting.\n3: Develop a policy or     The SAISO will            TBD                                                          Yes\nrevise the Agency\xe2\x80\x99s        review the Agency\xe2\x80\x99s\nInformation Security       Information Security\nPolicy to comply with      Policy/Procedure to\nNIST SP 800-92. This       comply with NIST SP\npolicy should include,     800-92 and revise if\nbut not be limited to,     necessary.\ndefining log storage and\ndisposal requirements\nand roles and\nresponsibilities for the\nlog management\ninfrastructure.\n4: Finalize the SIEM       The Enterprise           3/29/13   In Progress   OTOP/TISS Lee                         Yes\ntool\xe2\x80\x99s \xe2\x80\x9cEnterprise         Reference Guide will                             Kelly\nReference Guide.\xe2\x80\x9d          be reviewed to\n                           determine gaps\n                           between its guidance\n                           and the current status\n                           of the SIEM project.\n                           The Enterprise\n\n\n     12-P-0899                                                                                                     24\n\x0c                           Reference Guide will\n                           be updated and\n                           finalized, and\n                           referenced in other\n                           TISS/CSIRC\n                           operating procedures\n                           if necessary.\n5: Appoint in writing a    The SAISO is            TBD   No\ncentral point of contact   currently responsible\nfor tracking the           in accordance with\ncompletion of              FISMA as the central\nweaknesses discovered      point of contact for\nduring internal            tracking weaknesses.\nassessments.               OTOP/NCC will\n                           appoint in writing a\n                           central point of\n                           contact for tracking\n                           the completion of\n                           weakness discovered\n                           during internal\n                           assessments.\n6: Create POA&Ms for       The SAISO will create   TBD   Yes\nall recommendations        POA&Ms for all\napplicable to Agency       applicable\ninternal reports           recommendations to\nidentified in Appendix     Agency internal\nB.                         reports identified in\n                           Appendix B.\n7: Develop and             The SAISO will          TBD   Yes\nimplement a process to     develop an enhanced\nverify that identified     process model for the\nweaknesses in Appendix     full life cycle\nB are addressed and        management of Plans\n\n\n     12-P-0899                                            25\n\x0cdecisions are             of Actions and\ndocumented on actions     Milestones (POA&M)\ntaken.                    resulting from\n                          identified weaknesses\n                          of the Agency\n                          Information Security\n                          Program.\n\n8: Develop and            OTOP/NCC will             2/15/2013   On-going   OTOP/NCC      Review of new    Yes\nimplement a process to    revise the agency\xe2\x80\x99s                              John Gibson   EPA Infosec\nverify that regions and   vulnerability                                                  Policy will be\nprogram office staff      management standard                                            required\naddress vulnerabilities   operating procedure\nfrom NCC scans.           (SOP) to incorporate a\n                          verification process to\n                          ensure regions and\n                          program offices are\n                          appropriately\n                          addressing\n                          vulnerabilities from\n                          NCC scans. The\n                          revised SOP is\n                          contingent upon OEI\n                          CIO\n                          approval/signature of\n                          the \xe2\x80\x9cInformation\n                          Security Interim Roles\n                          and Responsibilities\n                          Procedures\xe2\x80\x9d document\n                          currently in process.\n\n\n\n\n     12-P-0899                                                                                             26\n\x0c     During the OIG exit conference September 12, 2012, it was agreed that recommendation # 5 was to be amended as follows.\n\n     5 (Amended)            SIASO will issue a       TBD     Ongoing           SAISO                                          Yes\n       New text             memo to OEI officials.\n\nIssue a memorandum to\nOEI officials requiring\nthe SAISO be the\naddressee on all internal\nsecurity reports and\nreviews in order to\nensure identified\nweaknesses are recorded\nwithin the Agency\xe2\x80\x99s\nsecurity weakness\ntracking system.\n\n\n\n\n     12-P-0899                                                                                                                 27\n\x0c                                                                                Appendix D\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nSenior Agency Information Security Officer, Office of Environmental Information\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nActing Director, Enterprise Desktop Solutions Division, Office of Environmental Information\nDirector, Technology and Information Security Staff, Office of Environmental Information\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Follow-Up Coordinator, Office of Environmental Information\nAudit Follow-Up Coordinator, Office of Technology Operations and Planning,\n       Office of Environmental Information\nAudit Follow-Up Coordinator, Technology and Information Security Staff,\n       Office of Environmental Information\n\n\n\n\n12-P-0899                                                                                     28\n\x0c'